REVIEW: "Defending Your Digital Assets", Randall K. Nichols/Dani
- BKDYDAAH.RVW 20000515
"Defending Your Digital Assets", Randall K. Nichols/Daniel J.
Ryan/Julie J. C. H. Ryan, 2000, 0-07-212285-4, U$49.99
%A Randall K. Nichols rnichols@...
%A Daniel J. Ryan danryan@...
%A Julie J. C. H. Ryan julieryan@...
%C 300 Water Street, Whitby, Ontario L1N 9B6
%I McGraw-Hill Ryerson/Osborne
%O U$49.99 905-430-5000 800-565-5758 905-430-5134 fax: 905-430-5020
%P 858 p.
%T "Defending Your Digital Assets: Against Hackers, Crackers, Spies,
In the preface, the authors decide to define their own terms their own
way. For example, hackers break into computers for the thrill of it,
while crackers break in for profit. They also state that there is a
tension between securing a network and managing it, ignoring the fact
that most people see security as a management issue. Later, in the
first chapter, the "authors apologize for being a little informal" in
what they say. Aside from the lack of any reason given for the
necessity of this "informality" it certainly appears to be much more
appropriate to call it disorganization and a lack of discipline. The
book is supposed to be aimed at executives and managers, rather than
security specialists, or is intended to be used as the text for a
graduate information security course. Again, leaving aside the
inherent contradiction in that assertion, the material in this work is
not just careless, but so seriously flawed that any manager relying on
it (let alone the poor grad student) is going to be seriously misled
Part one purports to be an overall introduction. Chapter one starts
with digital espionage and throws around lots of scary numbers and
names. Unfortunately, the text lacks any analysis of the reports
being cited, most of which seem to be opinion surveys, and some of
which contradict each other. (Attacks are said to number in the
hundreds per day in one account, while another [from the NSA] asserts
250 per year, and yet a third [from the FCIRC] states 244--for the
same year.) The text is also extremely confused and appears to be
almost deliberately unstructured: one paragraph starts talking about
fraud and then covers the Morris Internet Worm, the only link being
that Morris was prosecuted under the Computer Fraud and Abuse Act.
Explanations are careless: the venerable Crack security tool is said
to "attack" computers. The material is very disorganized, and if you
can trace a common thread through a section of the text you will find
that most of the content is peripheral to it. Chapter two is supposed
to cover information security (infosec, in the book's jargon), but
instead continues to regale us with stories of digital espionage (DE)
and infowar. (Except for a seemingly pointless digression into
Part two is to present us with infosec concepts. Chapter three,
somewhat surprisingly, does give us a decent "Common Body of
Knowledge" overview and threat list, along with some risk management
and infosec architecture. A serviceable discussion of policy, with
some time out for US fed bashing, is in chapter four. Privacy, in
chapter five, is not covered well: we have a flatly inflammatory
definition of a "cookie," and ten pages of unsupported tables and odd
graphs which eventually reveal that some people want privacy and
others want to collect data. (Big surprise.) Chapter six talks about
security system certification and verification.
Part four touches on practical infosec. Chapter seven gives a decent
outline of cryptography, with a good comparison of strength, but a
huge "analysis" of key recovery and escrow systems shows only that
some like it and some don't. Access control systems are covered in
chapter eight. Digital signatures and certificate authorities are
reviewed in chapter nine: the web of trust model is mentioned, but not
analyzed or used in the material. Chapter ten is a confused
discussion of permission management, concentrating primarily on
e-commerce and the Web. Various factors in Virtual Private Networks
(VPN) are listed in chapter eleven. Some biometric methods are
described in chapter twelve.
Part four does not really deal with business continuity and recovery,
but emphasizes "event management." Chapter thirteen looks at general
security factors before the attack. "During and after the attack," in
chapter fourteen, examines some audit and detection and some Web
Continuing with the militaristic imagery, part five wants to give us
an "order of battle" for infowar. Chapter fifteen's "big picture" is
more on risk assessment. The definition of infowar, in chapter
sixteen, is vague, generic, and limited in scope. Malicious code is
described as a type of virus in chapter seventeen, rather than virus
being a subset of the class of malicious software. More infowar
details, and a general model of military intelligence, bog down in a
weird architecture model. "Methods of Employment," in chapter
eighteen, is probably more useful if you want to attack somebody.
Public key infrastructure, in chapter nineteen, reprises chapter nine.
Chapter twenty's look at cryptography and politics concentrates on US
regulations and cases, with little philosophical discussion of the
The appendices that close the book are of limited use. For example,
the "annotated bibliography" is not annotated, and contains a number
of general press articles and news stories.
While there is some useful material in this text, the entire work
requires a wholesale reordering to be of any value. A solid
restructuring along topical lines would allow a great deal of
extraneous verbiage to be discarded. A disciplined adherence to the
topic at hand would make the valuable content much more accessible to
the target audience. As it is, the book joins a long line of similar,
and similarly disorganized, "guides" that do not really help the non-
copyright Robert M. Slade, 2000 BKDYDAAH.RVW 20000515
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Internet, the information network you can't outgrow - Ido Dubrawsky
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade